I'm involved yet again in the old argument on whether sudo without password is secure enough or not. I'm on the side of those who doesn't mind typing a password every time I use sudo, even if it's less convenient, because it means that not just any script that runs on the server can include sudo install-rootkit without me knowing it.

I also use it through multi-shell commands like gsh and terminator to send identical commands to multiple remote servers (CentOS 5).

The argument from the other side is that it's redundant and just inhibits him from using his favourite multi-shell command.

Google'ing about "sudo best practices" I didn't find much discussion about this, it seems that people are generally OK with password-less sudo.

Am I in the minority?

Would PCI-DSS compliance make a difference? (we aren't PCI-complient yet, but it's in the cards).

If you are using sudo to track commands, it will be logged whether you enter the password or not.

Other than that, prompting for password for every invocation of sudo may be at worse a minor inconvenience when managing small sites. At large sites, it may not be as scalable. In such instances, a person will use scripts or applications at the client side to store the password temporarily when executing sudo. At that point, you now have the potential of having that script or application being exploited and the user login credentials with superuser rights stolen from that client.

Putting aside that, the larger issue that you really don't need to be logging into server the unless it is for maintenance. Otherwise, you will increase the likelihood that some errant command will cause an outage. You may need to review your day-to-day activities and automate where necessary so that there is a less of a need to login and execute superuser commands (which will have the side benefit of reduction of complaints of having to enter the password every time).